Solved: How do I store the delta value in the previous row

HattrickNZ · ‎01-23-2018

I have the following:

    _time   condition   delivery    sent
1   21/01/2018 0:00 0:00    264464  331477
2   22/01/2018 0:00 0:00    271339  339201

what I want is the delta value which is 6875 and 7724

_time   condition   delivery    delivery_d  sent    sent_d
1   21/01/2018 0:00 0:00    264464      331477   
2   22/01/2018 0:00 0:00    271339  6875    339201  7724

But my question is how do I store the delta of 6875 and 7724 in the previous row 21/01/2018 0:00

This is my full search:

 | makeresults |   eval data = "
   801    20/01/2018 18:40    262719    329507;
   863    20/01/2018 23:50    264437    331450;
   864    20/01/2018 23:55    264454    331467;
   865    21/01/2018 0:00    264464    331477;
   1151    21/01/2018 23:50    271316    339177;
  1152    21/01/2018 23:55    271328    339189;
  1153    22/01/2018 0:00    271339    339201;
  1154    22/01/2018 0:05    271354    339221;
  1155    22/01/2018 0:10    271365    339232;
  1156    22/01/2018 0:15    271373    339240" | 
  makemv delim=";" data | 
  mvexpand data  | 
  rex field=data "(?<serial>[\d]*)\s+(?<_time>\d{2}\/\d{2}\/\d{4}\s+\d{1,2}\:\d{1,2})\s+(?<delivery>\d+)\s+(?<sent>\d+)" | 
  fields - data serial | 
  rex field=_time "(?<condition>\d{1,2}:\d{1,2})" |
  where condition="0:00" OR condition="00:00" | 
  delta delivery as delivery_d | 
  delta sent as sent_d |

mayurr98 · ‎01-23-2018

you can try something like this as well

 | makeresults 
 | eval data = "
    801    20/01/2018 18:40    262719    329507;
    863    20/01/2018 23:50    264437    331450;
    864    20/01/2018 23:55    264454    331467;
    865    21/01/2018 0:00    264464    331477;
    1151    21/01/2018 23:50    271316    339177;
   1152    21/01/2018 23:55    271328    339189;
   1153    22/01/2018 0:00    271339    339201;
   1154    22/01/2018 0:05    271354    339221;
   1155    22/01/2018 0:10    271365    339232;
   1156    22/01/2018 0:15    271373    339240" 
 | makemv delim=";" data 
 | mvexpand data 
 | rex field=data "(?<serial>[\d]*)\s+(?<_time>\d{2}\/\d{2}\/\d{4}\s+\d{1,2}\:\d{1,2})\s+(?<delivery>\d+)\s+(?<sent>\d+)" 
 | rex field=_time "(?<condition>\d{1,2}:\d{1,2})" 
 | where condition="0:00" OR condition="00:00" 
 | delta delivery as delivery_diff 
 | delta sent as sent_diff 
 | search delivery_diff=* 
 | eval _time=strftime((strptime(_time,"%d/%m/%Y %H:%M")-86400),"%d/%m/%Y") 
 | fields _time delivery_diff sent_diff

let me know if this helps!

View solution in original post

mayurr98 · ‎01-23-2018

you can try something like this as well

 | makeresults 
 | eval data = "
    801    20/01/2018 18:40    262719    329507;
    863    20/01/2018 23:50    264437    331450;
    864    20/01/2018 23:55    264454    331467;
    865    21/01/2018 0:00    264464    331477;
    1151    21/01/2018 23:50    271316    339177;
   1152    21/01/2018 23:55    271328    339189;
   1153    22/01/2018 0:00    271339    339201;
   1154    22/01/2018 0:05    271354    339221;
   1155    22/01/2018 0:10    271365    339232;
   1156    22/01/2018 0:15    271373    339240" 
 | makemv delim=";" data 
 | mvexpand data 
 | rex field=data "(?<serial>[\d]*)\s+(?<_time>\d{2}\/\d{2}\/\d{4}\s+\d{1,2}\:\d{1,2})\s+(?<delivery>\d+)\s+(?<sent>\d+)" 
 | rex field=_time "(?<condition>\d{1,2}:\d{1,2})" 
 | where condition="0:00" OR condition="00:00" 
 | delta delivery as delivery_diff 
 | delta sent as sent_diff 
 | search delivery_diff=* 
 | eval _time=strftime((strptime(_time,"%d/%m/%Y %H:%M")-86400),"%d/%m/%Y") 
 | fields _time delivery_diff sent_diff

let me know if this helps!

HattrickNZ · ‎01-24-2018

tks.
this was a followon question from here

elliotproebstel · ‎01-23-2018

As I understand it, Splunk is applying the delta values by sort order. So one option is to reverse the sort order before calculating delta values. However, this reverses the sign of the delta result, which you can undo by subtracting the newly-calculated delta value from 0. Here's my sample code:

| makeresults 
|   eval data = "
    801    20/01/2018 18:40    262719    329507;
    863    20/01/2018 23:50    264437    331450;
    864    20/01/2018 23:55    264454    331467;
    865    21/01/2018 0:00    264464    331477;
    1151    21/01/2018 23:50    271316    339177;
   1152    21/01/2018 23:55    271328    339189;
   1153    22/01/2018 0:00    271339    339201;
   1154    22/01/2018 0:05    271354    339221;
   1155    22/01/2018 0:10    271365    339232;
   1156    22/01/2018 0:15    271373    339240" 
| makemv delim=";" data 
| mvexpand data  
| rex field=data "(?<serial>[\d]*)\s+(?<_time>\d{2}\/\d{2}\/\d{4}\s+\d{1,2}\:\d{1,2})\s+(?<delivery>\d+)\s+(?<sent>\d+)" 
| fields - data serial 
| rex field=_time "(?<condition>\d{1,2}:\d{1,2})" 
| where condition="0:00" OR condition="00:00" 
| sort -_time 
| delta delivery as delivery_d 
| delta sent as sent_d 
| eval delivery_d=0-delivery_d, sent_d=0-sent_d

elliotproebstel · ‎01-23-2018

In this particular case, instead of subtracting from 0, you could use the abs() function - but that would not be guaranteed to meet the requirement I understand here, which is to move the original delta value from one line to the next, regardless of the sign.

How do I store the delta value in the previous row

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms